Fixed conditionals, made explicit superuser, added new app configurations

roles/bootstrap/handlers/clamav.yml

@@ -1,23 +1,6 @@
 ---
 #@TODO write handlers for configuring clamav
 #@NOTE https://wiki.archlinux.org/title/ClamAV
-- name: Check if freshclam file exists
-  stat:
-    path: /etc/clamav/freshclam.conf
-  register: freshclampath
-- name: Check if clamd file exists
-  stat:
-    path: /etc/clamav/clamd.conf
-  register: clamdpath
-- name: Check if milter file exists
-  stat:
-    path: /etc/clamav/clamav-milter.conf
-  register: milterpath
-- name: Create freshclam file if not exists
-  file:
-    path: /etc/clamav/freshclam.conf
-    stat: touch
-  register: freshclam_created
 - name: Create freshclam file
   become: yes
   become_method: sudo
@@ -26,7 +9,6 @@
     dest: /etc/clamav/freshclam.conf
     force: yes
     backup: yes
-  when: not freshclampath.stat.exists
 - name: Create clamd file
   become: yes
   become_method: sudo
@@ -35,7 +17,6 @@
     dest: /etc/clamav/clamd.conf
     force: yes
     backup: yes
-  when: not freshclampath.stat.exists
 - name: Create clamd file
   become: yes
   become_method: sudo
@@ -44,4 +25,70 @@
     dest: /etc/clamav/clamav-milter.conf
     force: yes
     backup: yes
-  when: not freshclampath.stat.exists
+- name: Update clamav virus definitions
+  become: yes
+  become_method: sudo
+  command: freshclam
+- name: Start and enable clamav service
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+- name: Start and enable clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: started
+    enabled: yes
+- name: Restart clamav service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-daemon
+    state: restarted
+- name: Restart clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: restarted
+- name: Create freshclam log file
+  become: yes
+  become_method: sudo
+  file:
+    path: /var/log/clamav/freshclam.log
+    state: touch
+    mode: 600
+    owner: clamav
+- name: Start and enable freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: started
+    enabled: yes
+- name: Restart freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: restarted
+- name: Install Fangfrisch
+  become: yes
+  become_method: sudo
+  package:
+    name: fangfrisch
+    state: present
+- name: Create database structure for fangfrisch
+  become_user: clamav
+  become_method: sudo
+  command:
+    argv: [/usr/bin/fangfrisch, --conf, /etc/fangfrisch/fangfrisch.conf, initdb]
+- name: Start and enable fangfrisch virus definition updates
+  become: yes
+  become_method: sudo
+  service:
+    name: fangfrisch.timer
+    state: started
+    enabled: yes

roles/bootstrap/handlers/crowdsec.yml

@@ -1,2 +1,43 @@
 ---
-#@TODO write handlers for configuring crowdsec
+#@TODO write handlers for configuring crowdsec
+- name: Enroll your crowdsec installation
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, console, enroll -e, context, "{{ enrollment_key }}"]
+  register: crowdsec_enrolled
+- name: Install caddy crowdsec collection 
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/caddy]
+- name: Install proftpd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/proftpd]
+- name: Install sshd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/sshd]
+- name: Install postgresql crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/pgsql]
+- name: Install denial-of-service HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/http-dos]
+- name: Install HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/base-http-scenarios]
+- name: Install Postfix crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/postfix]

roles/bootstrap/handlers/fail2ban.yml

@@ -8,18 +8,24 @@
     path: /etc/systemd/system/fail2ban.service.d
   register: fail2serve_path
 - name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
   file:
     path: /etc/fail2ban/jail.d
     state: directory
   register: fail2bandir_created
   when: not fail2path.stat.exists
 - name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
   file:
     path: /etc/systemd/system/fail2ban.service.d
     state: directory
   register: fail2servdir_created
   when: not fail2serve_path.stat.exists
-- name: Copy sshd jail file
+- name: Copy protftpd jail file
+  become: yes
+  become_method: sudo
   copy:
     src: ftp.local
     dest: /etc/fail2ban/jail.d/ftp.local
@@ -27,6 +33,8 @@
     backup: yes
   when: fail2path.stat.exists
 - name: Copy sshd jail file
+  become: yes
+  become_method: sudo
   copy:
     src: sshd.local
     dest: /etc/fail2ban/jail.d/sshd.local
@@ -34,25 +42,33 @@
     backup: yes
   when: fail2path.stat.exists
 - name: Copy fail2ban modified service configuration
+  become: yes
+  become_method: sudo
   copy:
     src: override.conf
     dest: /etc/systemd/system/fail2ban.service.d/sshd.local
     force: yes
     backup: yes
   when: fail2serve_path.stat.exists
-- name: Start fail2ban service
+- name: Reload fail2ban service
+  become: yes
+  become_method: sudo
   service:
     name: fail2ban
     state: reloaded
   register: fail2ban_reloaded
-- name: Start fail2ban service
+- name: Start and enable fail2ban service
+  become: yes
+  become_method: sudo
   service:
     name: fail2ban
-    enabled: yes
     state: started
+    enabled: yes
   register: fail2ban_running
   when: fail2ban_reloaded
-- name: Start fail2ban service
+- name: Restart fail2ban service
+  become: yes
+  become_method: sudo
   service:
     name: fail2ban
     state: restarted

roles/bootstrap/handlers/gpg.yml

@@ -22,7 +22,7 @@
     - name: Get gocryptfs decryption configuration file metadata
       stat:
         path: "{{ homedir }}/.ciphers"
-      when: gcfs_masterkey_created
+      when: gcfs_masterkey_created.rc == 0
       register: gcfs_vault
     - name: Copy gocryptfs decryption configuration to this directory
       copy:
@@ -30,7 +30,7 @@
         dest: "{{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
         force: yes
         backup: yes
-      when: gcfs_vault.stat.exists and gcfs_masterkey_created
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
     - name: Create directory in which to mount decrypted gocryptfs vault
       file:
         path: "{{ homedir }}/.mnt/plains"
@@ -41,9 +41,9 @@
         path: "{{ homedir }}/.mnt/plains"
         state: mounted
         fstype: fuse./usr/bin/gocryptfs
-        opts: "nofail,passfile={{ tempfile_created }},config={{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
+        opts: "nofail,passfile={{ tempfile_created.path }},config={{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
       register: gcfs_mounted
-      when: gcfs_vault.stat.exists and gcfs_masterkey_created
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
     - name: Create directory in decrypted gocryptfs vault
       file:
         path: "{{ homedir }}/.mnt/plains/gpg"
@@ -56,7 +56,7 @@
         force: yes
         backup: yes
       register: gpgkeys_copied
-      when: gpg_key_extant and gcfs_mounted
+      when: gcfs_mounted
     #@TODO: Create handler that copies gcfs_masterkey_created text into decrypted vault in-between here
     - name: Import GPG keypair
       become: yes
@@ -64,7 +64,7 @@
       command:
         argv: [gpg, --import, "{{ homedir }}/.mnt/secrets/gpg/main.priv.asc"]
       register: gpgkeys_imported
-      when: gpgkeys_copied
+      when: gpgkeys_copied and gcfs_mounted
     # - name: Unmount the gocryptfs vault
     #   ansible.posix.mount:
     #     path: "{{ homedir }}/.mnt/plains"
@@ -77,5 +77,5 @@
       command:
         argv: [fusermount, -u, "{{ homedir }}/.mnt/plains"]
       when: gpgkeys_copied and gcfs_mounted
-  when: gpg_keypair_copy
+  register: gpg_keypair_copy
   tags: ['copy_gpg']

roles/bootstrap/handlers/main.yml

@@ -10,4 +10,10 @@
     file: git.yml
 - name: Configure fail2ban
   import_tasks:
-    file: fail2ban.yml
+    file: fail2ban.yml
+- name: Configure fail2ban
+  import_tasks:
+    file: clamav.yml
+- name: Configure crowdsec
+  import_tasks:
+    file: crowdsec.yml